DISA STIGS Viewer

The Dell OS10 Router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Overview

Finding ID Version Rule ID IA Controls Severity
V-269873 OS10-RTR-000390 SV-269873r1052004_rule   Medium
Description
Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
STIG Date
Dell OS10 Switch Router Security Technical Implementation Guide 2024-12-11

Details

Check Text (C-73906r1052002_chk)
Review the access control list (ACL) for the control plane receive path.

Verify that it will drop all fragmented ICMP packets destined to itself.

Step 1: Review the router configuration to verify that an ACL is configured that drops fragmented ICMP packets.

!
ip access-list FILTER_FRAGMENTED_ICMP
seq 10 deny icmp any any log fragment
...
seq 20 permit ip any any

Step 2: Examine the configuration to verify the ACL above is applied to packets destined to the control plane.

!
control-plane
ip access-group FILTER_FRAGMENTED_ICMP data in

Note: As shown above, OS10 can filter fragmented packets that arrive on the front panel data ports. OS10 does not support filtering fragmented packets arriving on the OOBM management ethernet interface.

If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.
Fix Text (F-73807r1052003_fix)
Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets.

Step 1: Configure a control-plane ACL that drops fragmented ICMP packets.

OS10(config)# ip access-list FILTER_FRAGMENTED_ICMP
OS10(config-ipv4-acl)# seq 10 deny icmp any any log fragment
OS10(config-ipv4-acl)# seq 20 permit ip any any

Step 2: Apply the ACL above to the control-plane.

OS10(config)# control-plane
OS10(config-control-plane)# ip access-group FILTER_FRAGMENTED_ICMP data in